J
jacklin
Unregistered / Unconfirmed
GUEST, unregistred user!
http://www.counterpane.com/crypto-gram-0006.html
J
jacklin
Unregistered / Unconfirmed
GUEST, unregistred user!
SOAP
SOAP (Simple Object Access Protocol) is a proposed standard for linking
Internet applications running on different platforms, using XML messages.
SOAP is designed to connect together programs running on different machines,
without regard to what OS/CPU is on each. It's basically remote procedure
calls (RPC) implemented via HTTP with XML content. Because no security is
required in either HTTP, XML, or SOAP, it's a pretty simple bet that different
people will bungle any embedded security in different ways, leading to different
holes on different implementations. SOAP is going to open up a whole new avenue
for security vulnerabilities.
SOAP has been developed by a bunch of companies, but it's instructive to read
Microsoft's own words on security and SOAP:
"Currently, developers struggle to make their distributed applications work
across the Internet when firewalls get in the way. Since most firewalls block
all but a few ports, such as the standard HTTP port 80, all of today's
distributed object protocols like DCOM suffer because they rely on dynamically
assigned ports for remote method invocations. If you can persuade your system
administrator to open a range of ports through the firewall, you may be able
to get around this problem as long as the ports used by the distributed object
protocol are included.
"To make matters worse, clients of your distributed application that lie
behind another corporate firewall suffer the same problems. If they don't
configure their firewall to open the same port, they won't be able to use your
application. Making clients reconfigure their firewalls to accommodate your
application is just not practical.
"Since SOAP relies on HTTP as the transport mechanism, and most firewalls allow
HTTP to pass through, you'll have no problem invoking SOAP endpoints from
either side of a firewall. Don't forget that SOAP makes it possible for system
administrators to configure firewalls to selectively block out SOAP requests
using SOAP-specific HTTP headers."
That's right. Those pesky firewalls prevent applications from sending commands
to each other, so SOAP lets vendors hide those commands as HTTP so the firewall
won't notice.
Let's continue the DCOM example. So what if DCOM runs over a firewall?
DCOM is Microsoft's main protocol for inter-application communication. It's not
just used by programs that are intended to be servers; it's used for all sorts
of desktop communication and remote access. The result is that an average
machine has dozens of programs using DCOM. Mine shows 48, ranging from
"Microsoft PowerPoint Presentation" to "logagent" and including the catchily
named "{000C101C-0000-0000-C000-000000000046}"; you may be able to list yours
by bringing up a Command Prompt and typing "dcomcnfg".
Now, there are lots and lots of ways to secure DCOM applications, so maybe all
of those applications are happily responding only to authenticated requests
from the local machine. On the other hand, there are lots and lots of ways to
make DCOM applications insecure, so maybe one of them is just waiting for
somebody to send it an entirely unauthenticated request to overwrite selected
files on my hard disk.
Firewalls have good reasons for blocking protocols like DCOM coming from
untrusted sources. Protocols that sneak them through are not what's wanted.
Information on SOAP:
<http://soap.weblogs.com/>
Microsoft's document (which includes the quoted paragraphs):
<http://msdn.microsoft.com/library/periodic/period00/soap.htm>
SOAP (Simple Object Access Protocol) is a proposed standard for linking
Internet applications running on different platforms, using XML messages.
SOAP is designed to connect together programs running on different machines,
without regard to what OS/CPU is on each. It's basically remote procedure
calls (RPC) implemented via HTTP with XML content. Because no security is
required in either HTTP, XML, or SOAP, it's a pretty simple bet that different
people will bungle any embedded security in different ways, leading to different
holes on different implementations. SOAP is going to open up a whole new avenue
for security vulnerabilities.
SOAP has been developed by a bunch of companies, but it's instructive to read
Microsoft's own words on security and SOAP:
"Currently, developers struggle to make their distributed applications work
across the Internet when firewalls get in the way. Since most firewalls block
all but a few ports, such as the standard HTTP port 80, all of today's
distributed object protocols like DCOM suffer because they rely on dynamically
assigned ports for remote method invocations. If you can persuade your system
administrator to open a range of ports through the firewall, you may be able
to get around this problem as long as the ports used by the distributed object
protocol are included.
"To make matters worse, clients of your distributed application that lie
behind another corporate firewall suffer the same problems. If they don't
configure their firewall to open the same port, they won't be able to use your
application. Making clients reconfigure their firewalls to accommodate your
application is just not practical.
"Since SOAP relies on HTTP as the transport mechanism, and most firewalls allow
HTTP to pass through, you'll have no problem invoking SOAP endpoints from
either side of a firewall. Don't forget that SOAP makes it possible for system
administrators to configure firewalls to selectively block out SOAP requests
using SOAP-specific HTTP headers."
That's right. Those pesky firewalls prevent applications from sending commands
to each other, so SOAP lets vendors hide those commands as HTTP so the firewall
won't notice.
Let's continue the DCOM example. So what if DCOM runs over a firewall?
DCOM is Microsoft's main protocol for inter-application communication. It's not
just used by programs that are intended to be servers; it's used for all sorts
of desktop communication and remote access. The result is that an average
machine has dozens of programs using DCOM. Mine shows 48, ranging from
"Microsoft PowerPoint Presentation" to "logagent" and including the catchily
named "{000C101C-0000-0000-C000-000000000046}"; you may be able to list yours
by bringing up a Command Prompt and typing "dcomcnfg".
Now, there are lots and lots of ways to secure DCOM applications, so maybe all
of those applications are happily responding only to authenticated requests
from the local machine. On the other hand, there are lots and lots of ways to
make DCOM applications insecure, so maybe one of them is just waiting for
somebody to send it an entirely unauthenticated request to overwrite selected
files on my hard disk.
Firewalls have good reasons for blocking protocols like DCOM coming from
untrusted sources. Protocols that sneak them through are not what's wanted.
Information on SOAP:
<http://soap.weblogs.com/>
Microsoft's document (which includes the quoted paragraphs):
<http://msdn.microsoft.com/library/periodic/period00/soap.htm>
S
savenight
Unregistered / Unconfirmed
GUEST, unregistred user!
等一等,下午给你贴出来
不过,我可是第一次翻,错误请指正
][]
不过,我可是第一次翻,错误请指正![
][]
S
savenight
Unregistered / Unconfirmed
GUEST, unregistred user!
翻译如下:(花了我半个小时,一分钟一分[])
[red]--------------------------------------------------------------------[/red]
SOAP(简单对象存取协议)是一种用XML消息在不同平台连接internet应用程序的期待的
标准。SOAP被设计用来把不同平台上的程序连接在一起,而不用管它是哪种操作系统/CPU.
它基本上是通过含有XML的http的远程调用(RPC)因为不论是HTTP,XML,或SOAP都不需要安
全性,所以造成不同人对于内嵌的安全实施有不同的方式,导致不同的实现上有不同的漏洞。
SOAP将为这个安全的脆弱性提供一个开放的全新方法。
SOAP是由一批公司开发的,但微软在安全和SOAP上的用词具有指导意义:
”现在,开发员们正努力将他们的分布式应用程序在防火墙运行时工作在INTERNET上。
因为除了HTTP 80等少数端口外,大多数防火墙会阻塞其他的端口,所以像DCOM这些依
靠动态分配端口来完成远程方法激活的分布式对象协议就深受其害了。如果你能劝说
你的系统管理员开放一些端口通过防火墙,只要分布式对象协议用到的端口在内,
你便能够避免这些问题。
“如果你的分布式应用程序的客户端在另一各共同防火墙下,那会更糟。假如客户端
不会配置他们的防火墙来开放相同端口,他们将不能用你的程序。让客户端重新配置
防火墙来适应你的程序是不现实的。
“因为SOAP依赖HTTP作为传输机制,并且大多数防火墙允许HTTP通过,所以从防火墙的
任意一端唤醒SOAP节点是没有问题的。别忘了,SOAP让系统管理员用SOAP特色的HTTP
HEADERS来配置防火墙以有选择的输出SOAP请求。“
没错。那些讨厌的防火墙妨碍了应用程序之间互相发送命令。所以SOAP让出售者
(VENDORS)把命令当作HTTP隐藏了,让防火墙毫无觉察。让我们继续这个DCOM例子。
如果DCOM绕过了防火墙将发什么情况呢?
DCOM是微软用于互联应用程序通讯的主要协议。它不仅仅被面向SERVERS的程序应用,
也用于所有的桌面通讯和远程存取。结果是一个普通的机器有书始终用到DCOM的程序。
我的机子上就有48个这样的程序,从“Microsoft PowerPoint Presentatin"到
‘logagen"同时还包括"{000C101C-0000-0000-C000-000000000046}"这样时断时续的名字。
在dos窗口下输入“dcomcnfg"命令,你可以看到你机子上的这样的程序。
有很多种方法来保证DCOM程序的安全性(所有仅仅响应本地机器中授权的请求的那些应
用程序)。相反,也有许多中方法导致DCOM程序的不安全,比如等待某人发送一个没有
授权的请求来覆盖你的硬盘里的某个文件。
防火墙有很好的里有阻塞某些协议(比如来自不信任源的DCOM),他们会偷偷的溜进他们
不应该去的地方。
[red]--------------------------------------------------------------------[/red]
[gold]摘自:
<http://soap.weblogs.com/>
<http://msdn.microsoft.com/library/periodic/period00/soap.htm> [/gold]
])[red]--------------------------------------------------------------------[/red]
SOAP(简单对象存取协议)是一种用XML消息在不同平台连接internet应用程序的期待的
标准。SOAP被设计用来把不同平台上的程序连接在一起,而不用管它是哪种操作系统/CPU.
它基本上是通过含有XML的http的远程调用(RPC)因为不论是HTTP,XML,或SOAP都不需要安
全性,所以造成不同人对于内嵌的安全实施有不同的方式,导致不同的实现上有不同的漏洞。
SOAP将为这个安全的脆弱性提供一个开放的全新方法。
SOAP是由一批公司开发的,但微软在安全和SOAP上的用词具有指导意义:
”现在,开发员们正努力将他们的分布式应用程序在防火墙运行时工作在INTERNET上。
因为除了HTTP 80等少数端口外,大多数防火墙会阻塞其他的端口,所以像DCOM这些依
靠动态分配端口来完成远程方法激活的分布式对象协议就深受其害了。如果你能劝说
你的系统管理员开放一些端口通过防火墙,只要分布式对象协议用到的端口在内,
你便能够避免这些问题。
“如果你的分布式应用程序的客户端在另一各共同防火墙下,那会更糟。假如客户端
不会配置他们的防火墙来开放相同端口,他们将不能用你的程序。让客户端重新配置
防火墙来适应你的程序是不现实的。
“因为SOAP依赖HTTP作为传输机制,并且大多数防火墙允许HTTP通过,所以从防火墙的
任意一端唤醒SOAP节点是没有问题的。别忘了,SOAP让系统管理员用SOAP特色的HTTP
HEADERS来配置防火墙以有选择的输出SOAP请求。“
没错。那些讨厌的防火墙妨碍了应用程序之间互相发送命令。所以SOAP让出售者
(VENDORS)把命令当作HTTP隐藏了,让防火墙毫无觉察。让我们继续这个DCOM例子。
如果DCOM绕过了防火墙将发什么情况呢?
DCOM是微软用于互联应用程序通讯的主要协议。它不仅仅被面向SERVERS的程序应用,
也用于所有的桌面通讯和远程存取。结果是一个普通的机器有书始终用到DCOM的程序。
我的机子上就有48个这样的程序,从“Microsoft PowerPoint Presentatin"到
‘logagen"同时还包括"{000C101C-0000-0000-C000-000000000046}"这样时断时续的名字。
在dos窗口下输入“dcomcnfg"命令,你可以看到你机子上的这样的程序。
有很多种方法来保证DCOM程序的安全性(所有仅仅响应本地机器中授权的请求的那些应
用程序)。相反,也有许多中方法导致DCOM程序的不安全,比如等待某人发送一个没有
授权的请求来覆盖你的硬盘里的某个文件。
防火墙有很好的里有阻塞某些协议(比如来自不信任源的DCOM),他们会偷偷的溜进他们
不应该去的地方。
[red]--------------------------------------------------------------------[/red]
[gold]摘自:
<http://soap.weblogs.com/>
<http://msdn.microsoft.com/library/periodic/period00/soap.htm> [/gold]
J
jacklin
Unregistered / Unconfirmed
GUEST, unregistred user!
接受答案了.